MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5faa1f9d476120a03f1a187f2f9814adf698fa9c0123ed44a2b5ce9ad8055bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5faa1f9d476120a03f1a187f2f9814adf698fa9c0123ed44a2b5ce9ad8055bd
SHA3-384 hash: f17848eac4553c007b0d418a36f2176f171df0b9cbb18f73080e1586c93acd1d918c724b1edb4119fb4d269dd4ce64d3
SHA1 hash: 593e2d15f1f746c067a6030951fa857b3751bc51
MD5 hash: c9861670df7dccc92587a0824614e1fb
humanhash: victor-berlin-oscar-bakerloo
File name:mazx.bin
Download: download sample
Signature Formbook
Create hunting rule
File size:793'088 bytes
First seen:2023-07-06 08:23:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'633 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:JzHfjhnjhu3lqIEF8r62vuanLL0/krHvdsP8JCY4OHVf1q7OnIHfm3I9H:Jz/NnN4lqIr+oLL0/I1sP8Jf11E/WI9
Threatray 3'418 similar samples on MalwareBazaar
TLSH T13AF47C3C1CBC7622C074E2F68F9DC421F294946B3E61DE3765C3999A461EA0265C7E3E
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon ac000396f7c5aec0 (1 x Formbook)
Reporter JAMESWT_WT
Tags:87-121-221-212 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
20630c0707f4913e69098a048ff472eb.rtf
Verdict:
Malicious activity
Analysis date:
2023-07-06 07:04:51 UTC
Tags:
exploit cve-2017-11882 loader formbook xloader trojan stealer
Link:
https://app.any.run/tasks/07046613-50e2-4e80-9ad2-fca77fff1857

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/408937/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.17618.2243.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Restart of the analyzed sample
Launching a process
Launching cmd.exe command interpreter
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64a67a2589e309292a8ac5ef/reports/fe6612da-9db6-4819-af94-87182efed2de/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f5faa1f9d476120a03f1a187f2f9814adf698fa9c0123ed44a2b5ce9ad8055bd
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fadea900-bed8-4513-a00e-bf0953c0d14c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1267912
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1267912 Sample: mazx.bin.exe Startdate: 06/07/2023 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 7 other signatures 2->48 10 mazx.bin.exe 4 2->10         started        process3 file4 34 C:\Users\user\AppData\...\mazx.bin.exe.log, ASCII 10->34 dropped 58 Adds a directory exclusion to Windows Defender 10->58 60 Tries to detect virtualization through RDTSC time measurements 10->60 14 mazx.bin.exe 10->14         started        17 powershell.exe 19 10->17         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 19 explorer.exe 2 1 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 36 atlheadshotphoto.com 15.197.142.173, 49706, 80 TANDEMUS United States 19->36 38 www.theinformativepilot.com 19->38 40 4 other IPs or domains 19->40 50 System process connects to network (likely due to code injection or exploit) 19->50 25 mstsc.exe 19->25         started        28 autoconv.exe 19->28         started        signatures10 process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 25->52 54 Maps a DLL or memory area into another process 25->54 56 Tries to detect virtualization through RDTSC time measurements 25->56 30 cmd.exe 1 25->30         started        process13 process14 32 conhost.exe 30->32         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f5faa1f9d476120a03f1a187f2f9814adf698fa9c0123ed44a2b5ce9ad8055bd/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-07-06 07:37:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6x5kd6ouoyjaua7rugd7f6mbjlpwtd5jyajd5vckfnootlmakw6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
037e60b0e473203e85de83344c643623b519c8b47279f9e6c0b74201ece7483f
Formbook
37ae91a0976d913bc1a194207829dc5460afd7b12d4ee22a69129772d151f156
Formbook
4e11fcc1a1b57eda0d4a01087856ab72ea159ec8ad1f8430c0db94fb250c65e2
Formbook
60f594736fc96f0657680d022bd9b9117a4a7d08c1e80812b29d64fa69f814a3
Formbook
75f95b9c0daa55a9d00d3fdc76b74a142314da0f225e6a7fcec22a0582d392d5
Formbook
aafd16655157dc194683021e605766a030e2d4d46462ad37b723d1f1f834bf98
Formbook
ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3
Formbook
e165bef062d93e5a4fd31d8f369fd8144d2158b5c8dcb85be3e06826cb5f81e6
Formbook
ed2689d4f89e5f40f8ddf93839da8b822d008329530090975edb6d0909bee67f
Formbook
fa50f197e39eb37efdbd83462dd11e3057e45f88d9acb8b7e99c50c44c1936b7
Formbook
+ 3'408 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mf6w rat spyware stealer trojan
Link:
https://tria.ge/reports/230706-kapp3sba6y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
93bf910294296262548b8c72f27559f7a53ac661a2408aa027895152ce159246
MD5 hash:
e01ab77d24d1ad06fa9010a4209a204f
SHA1 hash:
e8114cefafa35c6d55fe3d2c6b6046c4b81ca254
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/28b09d14-47ee-419f-a316-2b219d08dd19/
Parent samples :
cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca
037e60b0e473203e85de83344c643623b519c8b47279f9e6c0b74201ece7483f
c64ca90a3608e3edaaf04f3289f58d018f2e6301409665820d92c61130784d23
e165bef062d93e5a4fd31d8f369fd8144d2158b5c8dcb85be3e06826cb5f81e6
f5faa1f9d476120a03f1a187f2f9814adf698fa9c0123ed44a2b5ce9ad8055bd
571890d2bedd6cc0cdf6cccc2e6fc4e19c7489adc30328c24d21e3631d24661e
SH256 hash:
606ba8aaadec05fd014860646c7da91be613aa614e3204b645ef1ecf42d18383
MD5 hash:
654059abdea9a307ee96a07c8822d1be
SHA1 hash:
b8b30a098ef503bfee789482404fdbded8e0cfea
Link:
https://www.unpac.me/results/28b09d14-47ee-419f-a316-2b219d08dd19/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/28b09d14-47ee-419f-a316-2b219d08dd19/
SH256 hash:
593e0e9b77b0fe843cb1dd0f879b7928280f917da00e4415a75f835bdf04e8d2
MD5 hash:
f90558c653e974448c269c08bc56fdd0
SHA1 hash:
95b8b04451ecd2e558e93e3f85dbc542794e2a84
Link:
https://www.unpac.me/results/28b09d14-47ee-419f-a316-2b219d08dd19/
SH256 hash:
93bf910294296262548b8c72f27559f7a53ac661a2408aa027895152ce159246
MD5 hash:
e01ab77d24d1ad06fa9010a4209a204f
SHA1 hash:
e8114cefafa35c6d55fe3d2c6b6046c4b81ca254
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/28b09d14-47ee-419f-a316-2b219d08dd19/
Parent samples :
cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca
037e60b0e473203e85de83344c643623b519c8b47279f9e6c0b74201ece7483f
c64ca90a3608e3edaaf04f3289f58d018f2e6301409665820d92c61130784d23
e165bef062d93e5a4fd31d8f369fd8144d2158b5c8dcb85be3e06826cb5f81e6
f5faa1f9d476120a03f1a187f2f9814adf698fa9c0123ed44a2b5ce9ad8055bd
571890d2bedd6cc0cdf6cccc2e6fc4e19c7489adc30328c24d21e3631d24661e
SH256 hash:
606ba8aaadec05fd014860646c7da91be613aa614e3204b645ef1ecf42d18383
MD5 hash:
654059abdea9a307ee96a07c8822d1be
SHA1 hash:
b8b30a098ef503bfee789482404fdbded8e0cfea
Link:
https://www.unpac.me/results/28b09d14-47ee-419f-a316-2b219d08dd19/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/28b09d14-47ee-419f-a316-2b219d08dd19/
SH256 hash:
593e0e9b77b0fe843cb1dd0f879b7928280f917da00e4415a75f835bdf04e8d2
MD5 hash:
f90558c653e974448c269c08bc56fdd0
SHA1 hash:
95b8b04451ecd2e558e93e3f85dbc542794e2a84
Link:
https://www.unpac.me/results/28b09d14-47ee-419f-a316-2b219d08dd19/
SH256 hash:
93bf910294296262548b8c72f27559f7a53ac661a2408aa027895152ce159246
MD5 hash:
e01ab77d24d1ad06fa9010a4209a204f
SHA1 hash:
e8114cefafa35c6d55fe3d2c6b6046c4b81ca254
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/28b09d14-47ee-419f-a316-2b219d08dd19/
Parent samples :
cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca
037e60b0e473203e85de83344c643623b519c8b47279f9e6c0b74201ece7483f
c64ca90a3608e3edaaf04f3289f58d018f2e6301409665820d92c61130784d23
e165bef062d93e5a4fd31d8f369fd8144d2158b5c8dcb85be3e06826cb5f81e6
f5faa1f9d476120a03f1a187f2f9814adf698fa9c0123ed44a2b5ce9ad8055bd
571890d2bedd6cc0cdf6cccc2e6fc4e19c7489adc30328c24d21e3631d24661e
SH256 hash:
93bf910294296262548b8c72f27559f7a53ac661a2408aa027895152ce159246
MD5 hash:
e01ab77d24d1ad06fa9010a4209a204f
SHA1 hash:
e8114cefafa35c6d55fe3d2c6b6046c4b81ca254
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/28b09d14-47ee-419f-a316-2b219d08dd19/
Parent samples :
cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca
037e60b0e473203e85de83344c643623b519c8b47279f9e6c0b74201ece7483f
c64ca90a3608e3edaaf04f3289f58d018f2e6301409665820d92c61130784d23
e165bef062d93e5a4fd31d8f369fd8144d2158b5c8dcb85be3e06826cb5f81e6
f5faa1f9d476120a03f1a187f2f9814adf698fa9c0123ed44a2b5ce9ad8055bd
571890d2bedd6cc0cdf6cccc2e6fc4e19c7489adc30328c24d21e3631d24661e
SH256 hash:
606ba8aaadec05fd014860646c7da91be613aa614e3204b645ef1ecf42d18383
MD5 hash:
654059abdea9a307ee96a07c8822d1be
SHA1 hash:
b8b30a098ef503bfee789482404fdbded8e0cfea
Link:
https://www.unpac.me/results/28b09d14-47ee-419f-a316-2b219d08dd19/
SH256 hash:
606ba8aaadec05fd014860646c7da91be613aa614e3204b645ef1ecf42d18383
MD5 hash:
654059abdea9a307ee96a07c8822d1be
SHA1 hash:
b8b30a098ef503bfee789482404fdbded8e0cfea
Link:
https://www.unpac.me/results/28b09d14-47ee-419f-a316-2b219d08dd19/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/28b09d14-47ee-419f-a316-2b219d08dd19/
SH256 hash:
593e0e9b77b0fe843cb1dd0f879b7928280f917da00e4415a75f835bdf04e8d2
MD5 hash:
f90558c653e974448c269c08bc56fdd0
SHA1 hash:
95b8b04451ecd2e558e93e3f85dbc542794e2a84
Link:
https://www.unpac.me/results/28b09d14-47ee-419f-a316-2b219d08dd19/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/28b09d14-47ee-419f-a316-2b219d08dd19/
SH256 hash:
593e0e9b77b0fe843cb1dd0f879b7928280f917da00e4415a75f835bdf04e8d2
MD5 hash:
f90558c653e974448c269c08bc56fdd0
SHA1 hash:
95b8b04451ecd2e558e93e3f85dbc542794e2a84
Link:
https://www.unpac.me/results/28b09d14-47ee-419f-a316-2b219d08dd19/
SH256 hash:
f5faa1f9d476120a03f1a187f2f9814adf698fa9c0123ed44a2b5ce9ad8055bd
MD5 hash:
c9861670df7dccc92587a0824614e1fb
SHA1 hash:
593e2d15f1f746c067a6030951fa857b3751bc51
Link:
https://www.unpac.me/results/28b09d14-47ee-419f-a316-2b219d08dd19/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f5faa1f9d476/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5faa1f9d476120a03f1a187f2f9814adf698fa9c0123ed44a2b5ce9ad8055bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe f5faa1f9d476120a03f1a187f2f9814adf698fa9c0123ed44a2b5ce9ad8055bd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2676882/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/408937/

Comments